Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Force mime for notebooks (#1117) #1118

Merged
merged 2 commits into from Jun 21, 2021
Merged

Force mime for notebooks (#1117) #1118

merged 2 commits into from Jun 21, 2021

Conversation

scudette
Copy link
Contributor

Notebooks and downloads used http.FileServer which has a couple of
problems:

  1. It sniffs the mime type when serving files. This may lead to stored
    XSS because users can upload to notebooks.
  2. It allows directory listing by generating inde files.

This change stops these by forcing 404 on directory access and forcing
binary/octet-stream on all items in the notebook.

scudette and others added 2 commits June 21, 2021 15:01
Notebooks and downloads used http.FileServer which has a couple of
problems:

1. It sniffs the mime type when serving files. This may lead to stored
XSS because users can upload to notebooks.
2. It allows directory listing by generating inde files.

This change stops these by forcing 404 on directory access and forcing
binary/octet-stream on all items in the notebook.
@scudette scudette merged commit 03d83c6 into v0.6.0 Jun 21, 2021
2 checks passed
@scudette scudette deleted the mime2 branch June 21, 2021 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant